Enterprises may use virtual private networks (VPN) to allow employees to securely communicate with servers at an enterprise location. For example, an enterprise may provide a VPN gateway that is coupled to a protected network. An employee using a client device at a remote location may establish a VPN connection to the VPN gateway through the Internet. Subsequently, the VPN gateway forwards network traffic flowing through the VPN connection to servers on the protected network. In this way, the employee may communicate with servers on the protected network. In some circumstances, it may be advantageous for only certain applications to communicate through the VPN tunnel. For instance, limiting use of the VPN tunnel to certain applications may reduce the processing burden on a VPN gateway.
Various implementations of application-specific VPN connections may use different layers of the Open Systems Interconnect (OSI) reference model. The Open System Interconnect (OSI) reference model describes a seven layer model. These layers are the physical layer (Layer 1), the data link layer (Layer 2), the network layer (Layer 3), the transport layer (Layer 4), the session layer (Layer 5), the presentation layer (Layer 6), and the application layer (Layer 7).
In one transport-layer VPN implementation, i.e., a Layer 4 VPN, a VPN administrator provides applications executing on a client device with “loop-back” addresses. When one of the applications attempts to send a message addressed to a “loop-back” address, the message is processed through the full network stack on the client device. However, the message does not leave the client device. Rather, the message is delivered to a proxy on the client device. The proxy maintains a Secure Sockets Layer (SSL) connection with a VPN gateway using a private Internet Protocol (IP) assigned to the proxy by the VPN gateway. The proxy may send the message to the VPN gateway via the SSL connection as though the proxy originated the message. The VPN gateway also acts as a proxy. That is, the VPN gateway operates for a termination point for the SSL connection, processes the message through its network stack and forwards the message through a different session as through the VPN gateway originated the message.
In one network-layer VPN implementation (i.e., a Layer 3 VPN), a network administrator installs a VPN client on a client device. The VPN client maintains a network-layer VPN connection with a VPN gateway. The VPN client acts as a virtual adapter with its own assigned network address. When the virtual adapter receives an IP packet, the virtual adapter encapsulates the IP packet in a secure network-layer tunneling protocol such as an Internet Protocol Security (IPsec) protocol. The virtual adapter then forwards the IPsec protocol packet to a VPN gateway. When the VPN gateway receives the IPsec packet, the VPN gateway removes the IPsec protocol encapsulation and forwards the original IP packet to a destination server on the protected network. To ensure that IP packets addressed to destination servers reach the virtual adapter, a network administrator modifies a route table in the client device to direct IP packets addressed to specific destination servers through the virtual adapter. For example, if 128.0.0.1 is the IP address of an email server on a protected network, a network administrator may add an entry to a route table on the client device to force the client device to route IP packets addressed to 128.0.0.1 through the virtual adapter. In this way, the network administrator may select the servers to which the client device sends network traffic via the VPN connection.